CVE-2021-27625

CWE-787 — Out-of-bounds Write CWE-20 — Improper Input Validation3 documents3 sources

Severity

5.9MEDIUM

EPSS

0.5%

top 33.75%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Internet Graphics Service SAP Netweaver AS Internet Graphics Server

Timeline

PublishedJun 9

Latest updateMay 24

Description

SAP Internet Graphics Service, versions - 7.20,7.20EXT,7.53,7.20_EX2,7.81, allows an unauthenticated attacker after retrieving an existing system state value can submit a malicious IGS request over a network which due to insufficient input validation in method IgsData::freeMemory() which will trigger an internal memory corruption error in the system causing the system to crash and rendering it unavailable. In this attack, no data in the system can be viewed or modified.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 2.2 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5sap_se/sap_internet_graphics_service< 7.20+4

▶NVDsap/netweaver_as_internet_graphics_server5 versions+4

🔴Vulnerability Details

GHSA

GHSA-v586-4xh5-67mm: SAP Internet Graphics Service, versions - 7↗2022-05-24

▶

CVEList

CVE-2021-27625: SAP Internet Graphics Service, versions - 7↗2021-06-09

▶